session 2 ffiec guidance and supplement to authentication ... · ffiec guidance and supplement to...
TRANSCRIPT
Session 2
FFIEC Guidance and Supplement to Authentication in an Internet Banking
Environment Jim Vilker, NCCO
VP of Professional Services, CMS Audit Link, A Division of CU*Answers
Patrick Sickels, JD, CISA, CRISC Internal Auditor, CU*Answers
Laura Welch-Vilker Manager of Education Services, CU*Answers
December 15, 2011
1
Agenda
• Finalizing the risk assessment • If necessary updating policies and procedures • Updating the account opening process
– CIP Cards and Procedures • Utilizing It’s Me 247 and PIB global settings • Utilizing PIB individual settings • Evaluating suspicious activity • Member and staff educational requirements
2
Five Step Plan for FFIEC Compliance
Step One: Conduct a Risk Assessment on All Online Banking Accounts If the account involves large dollar amounts passing from the credit union to outside third parties, the
risk should be considered high, and the credit union should act accordingly. Step Two: If Commercial, Set Administrative Functions Business accounts should have enhanced controls for system administrators who have privileges for
setting access, configurations, and limits. Step Three: Set Layered Security (PIB) Depending on the risk level of the account, set up access and authorization controls, and set thresholds
for account activity including transaction value thresholds. Step Four: Detect and Respond to Suspicious Activity Credit unions can already review the transactional history of clients for suspicious activity.
Furthermore, CU*BASE is undergoing development to provide each credit union with more tools to monitor the transaction behavior of members. These new features will be available in 2012.
Step Five: Customer Awareness and Education At least annually, advise your members on how to protect their accounts, and provide regular follow-up
on new threats or ways to enhance the security of their online banking activity.
3
Risk Assessment Example
Overall Risk Assessment (Product Feature) See sample: http://auditlink.cuanswers.com/2011/12/sample-its-me-247-risk-assessments-in-response-to-ffiec/ “Calling for all samples”
4
Evaluating Results of Risk Assessment
What will your risk assessment tell you?
What if the credit union doesn’t offer commercial accounts? What if the credit union is SEG based and has very little suspicious activity? What if the credit union has online commercial accounts? What if the credit union already has suspicious activity?
Based upon the answer to the above questions, the credit union will need to determine what changes are necessary to the: Organization Operations Ongoing auditing and monitoring
5
Evaluating Suspicious Activity Using MNAUDT #9 and #10
All credit unions should perform this analysis when completing the risk assessment and based upon the findings of the assessment determine if this analysis needs to be preformed on a monthly basis for existing accounts.
6
Tools for Completing Your Risk Assessment
MNAUDT # 10
7
Ongoing Risk Assessment Maintenance
1. Conduct on no less than an annual basis 2. Conduct whenever there is a major change to
online banking offerings, account types, field of membership, merger, new cyber related threats
3. Provide education on no less than a yearly basis
8
Account Opening Procedures Changes to CIP card/process
Questions to ask which trigger additional information gathering: • Commercial in nature • Expectation of high internet-based third party
payments • Classified by FFIEC as being high-risk • Utilizing due diligence flag for high-risk accounts
9
Example of Account Risk Assessment “Calling on all CIP cards”
Transaction Amounts Destination Risk The transaction amounts are large (such as commercial accounts)
To outside third parties, such as A2A or Online Bill Pay
Should be considered HIGH
The transaction amounts are small
Small transactions to outside third parties, or larger transactions to parties within the credit union
Should be considered MEDIUM
The transaction amounts are small
The transactions are within the same accounts of the member (e.g. savings to checking) or the possibility of loss is minimal
Should be considered LOW
10
Commercial Accounts
Credit unions need to ensure that business accounts have additional controls when setting up system administration functions. Credit unions can manage these controls by using PIB (Personal Internet Branch). PIB allows credit unions to set a large range of controls regarding the personnel authorized to make changes, what activity can be done online, and in what amounts. PIB is the primary system for protecting both the member’s funds and protecting the credit union from liability.
11
Commercial Accounts
Control Purpose Email notification
Members must always be notified when there is an administrative change to online banking; confirmation emails may need to go to someone other than an authorized user
Confirmation codes
Requires a confirmation code before a high-risk transaction can be performed
Password changes
Should always be through the credit union, including changes to confirmation codes
12
Layered Security
Layered Security is a term meaning that a credit union should have multiple controls with
respect to online banking so that if one control fails another prevents or mitigates the damage.
The PIB (Personal Internet Branch) system allows the credit union to set up layered security for each and every online banking account in accordance
with the new FFIEC Guidelines.
PIB should now be considered a requirement for any member engaging in high risk online banking activity. The credit union may wish to control PIB
changes in-house, rather than have the member make these changes.
13
Layered Security Control Purpose
Email notification Should be used for every transaction that takes place in online banking, as well as password resets and activation keys
Transaction dollar limits
Critical in high risk transfers to outside third parties; configure the maximum dollars per day and per month
Transaction time limits
Restricts when transfers can take place; useful for businesses who do not need 24/7 online banking access
Disable unused transactions
Credit unions should disable all transactional activity not required by the consumer
Set custom/complex PIN and passwords
Should be recommended for any high risk transactions
Audio banking Determines what activities are allowed over the phone
PC Registration Restricts what PCs can be used to perform the transactions
Geographic Location Restricts the locations where transactions can be performed
Confirmation codes Requires a confirmation code before a high-risk transaction can be performed
14
Layered Security
When? Ideally at account setup but ASAP for all high-risk accounts.
15
Global Security Settings MNMGMC #16
16
MNCNFE #1
17
MNCNFE #1 – A2A
18
MNCNFE #1 - PIB
19
MNCNFE #1 - PIB
20
MNCNFE #1 - PIB
21
PIB at the Account Level – MNSERV # 22
22
MNSERV #22 – Change PIB Settings
23
MNSERV #22 – Change PIB Settings
24
PIB Member Experience
25
Ongoing Monitoring – MNAUDT # 10
26
Member Education An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access. An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials. Note: From a security standpoint, this should be rarely, if ever.
27
Member Education A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically. A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found. A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.
28
Sharing Information CU*Answers ExamShare and PolicySwap will be live March 1, 2012. Until that time, please share your: Assessments Policies CIP cards and procedures
29
What’s Next
• Mid January web conference for reviewing examination checklist (if completed by FFIEC) and peer processes and policies (collaborative with CU*Answers clients)
30
Reference Material
PIB Made Simple – Try it with your staff http://cuanswers.com/pdf/cb_ref/PIBStaffTryIt.pdf#2009-02-12
Roll-Out Strategies http://cuanswers.com/pdf/cb_ref/PIBRollout.pdf#2010-10-12
PIB Configuration and User Guide http://cuanswers.com/pdf/cb_ref/PIBConfiguration.pdf#2011-12-09
Answering Your Questions about PIB http://cuanswers.com/pdf/security/CUFAQs.pdf#2007-12-07
31
Questions?
32
LEGAL DISCLAIMER
The information contained in this email does not constitute legal advice. We make no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in this email. You should retain and rely on your own legal counsel, and nothing herein should be considered a substitute for the advice of competent legal counsel. These materials are intended, but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as an indication of future results. All information is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no event will CU*Answers, its related partnerships or corporations, or the partners, agents or employees thereof be liable to you or anyone else for any decision made or action taken in reliance on the information provided or for any consequential, special or similar damages, even if advised of the possibility of such damages.
33